Presentation of Vincent Vanbiervliet at Sophos Security Day 2015. On the new innovative products from Sophos such as Synchronized Security and our new XG firewall
2. 2
What we’re going to cover
• What’s the problem?
• It’s time for a security revolution
• How it works
• Synchronized Security 2015-2016
• Your path to synchronized Security
8. 8
Generations of security
Point Products
Anti-virus
IPS
Firewall
Sandbox
Layers
Bundles
Suites
UTM
EMM
Synchronized Security
Security
Heartbeat™
9. 9
Comprehensive protection
• Prevent Malware
• Detect Compromises
• Remediate Threats
• Investigate Issues
• Encrypt Data
MAC
ANDROID
WINDOWS
iOS
CORPORATE
DATA
WINDOWS
PHONE
LINUX
Synchronized Security
10. 10
Integration at a different level
Synchronized Security Alternative
• System-level intelligence
• Automated correlation
• Faster decision-making
• Accelerated Threat Discovery
• Automated Incident Response
• Simple unified management
• Resource intensive
• Manual correlation
• Dependent upon human analysis
• Manual Threat/Incident response
• Extra products
• Endpoint/Network unaware of
each other
Management
Enduser Network
SIEM
Endpoint
Mgmt
NW Mgmt
Endpoint Network
11. 11
Synchronized Security
Security must be comprehensive
The capabilities required to fully satisfy customer need
Security can be made simple
Platform, deployment, licensing, user experience
Security is more effective as a system
New possibilities through technology cooperation
Synchronized Security
Integrated, context-aware security where Enduser
and Network technology share meaningful
information to deliver better protection.
SOPHOS LABS
Sophos Cloud
Next Gen
Network Security
Next Gen
Enduser Security
heartbeat
13. 13
3 pillars of advanced threat protection
By device identification reduces
time taken to manually identify
infected or at risk device or host
by IP address alone
Compromised endpoints are
isolated by the firewall
automatically, while the
endpoint terminates and
removes malicious software.
Endpoint and network
protection combine to identify
unknown threats faster. Sophos
Security Heartbeat™ pulses real-
time information on suspicious
behaviors
Security Heartbeat™
Accelerated Threat
Discovery
Active Source
Identification
Automated Incident
Response
Faster, better decisions Quicker, easier
investigation Reduced threat impact
14. 14
System Initialization
Registration
NGEP & NGFW register with Sophos Cloud which sends
certificate/sec info to both
Connection
Endpoints initiate connection to the trusted Firewall
Validation
Firewall and Endpoints check sec info sent to them by Cloud
to verify they are valid
SOPHOS LABS
Sophos Cloud
Next Gen
Network Security
Next Gen
Enduser Security
heartbeat
Support of multiple locations
Endpoints can establish connection to Firewalls
at any customer’s location as the Sophos Cloud registry
can be shared among all Galileo-enabled Firewalls
15. 15
Accelerated Threat Discovery
Security Heartbeat
A few bytes of information are shared every 15
seconds from Endpoint to Network
Events
Upon discovery, security information like Malware,
PUA is shared between Endpoints and Network
Health
Endpoint sends Red, Yellow, Green health status to
Network
SOPHOS LABS
Sophos Cloud
Next Gen
Network Security
Next Gen
Enduser Security
heartbeat
VPN support
Galileo supports endpoints connected within the local
network as well as those connected via VPN as long as
they are connecting to the Firewall.
16. 16
Active Source Identification
Security Heartbeat
Positively identifying the machine. Associating the IP
address with a particular Endpoint
Advanced Attack
If Network Firewall detects an advanced attack but
can’t determine source, it requests details from
endpoints
Source Identification
Endpoint sends details of machine name, user, process, and
IP address
SOPHOS LABS
Sophos Cloud
Next Gen
Network Security
Next Gen
Enduser Security
heartbeat
17. 17
Automated Incident Response
Green
Endpoints have full access to internal applications and
data as well as internet
Yellow
Affected endpoints can be isolated from
internal/sensitive applications and data while
maintaining access to internet
Red
Affected endpoints are isolated from the network and have
no access to internal systems or external internet
SOPHOS LABS
Sophos Cloud
Next Gen
Network Security
Next Gen
Enduser Security
heartbeat
Defaults and customization
There are no default policies based on health status so
admins can customize responses as needed. We are
developing a best practices guide to assist customers in
recommended policy setup.
19. 19
Comprehensive Next-Gen Endpoint
SOPHOS SYSTEM
PROTECTOR
Application
Tracking
Threat
Engine
Application
Control
Reputation
Emulator
HIPS/
Runtime
Protection
Device
Control
Malicious
Traffic
Detection
Web
Protection
IoC
Collector
Live
Protection
Security
Heartbeat™
20. 20
Comprehensive Next-Gen Network
SOPHOS FIREWALL
OPERATING SYSTEM
Web
Filtering
Intrusion
Prevention
System
Routing
Email
Security
Security
Heartbeat™
Selective
Sandbox
Application
Control
Data Loss
Prevention
ATP
Detection
Proxy
Threat
Engine
Firewall
21. 21
SOPHOS SYSTEM
PROTECTOR
Sophos Cloud
Next Generation Threat Detection
heartbeat
SOPHOS FIREWALL
OPERATING SYSTEM
Application
Tracking
Threat
Engine
Application
Control
Reputation
Emulator
HIPS/
Runtime
Protection
Device
Control
Malicious
Traffic
Detection
Web
Protection
IoC
Collector
Live
Protection
Security
Heartbeat™
Web
Filtering
Intrusion
Prevention
System
Routing
Email
Security
Security
Heartbeat™
Selective
Sandbox
Application
Control
Data Loss
Prevention
ATP
Detection
Proxy
Threat
Engine
Isolate subnet and WAN access
Block/remove malware
Identify & clean other infected systems
User | System | File
Compromise
Firewall
23. 23
SOPHOS SYSTEM
PROTECTOR
Sophos Cloud
Improved Threat Detection
heartbeat
SOPHOS FIREWALL
OPERATING SYSTEM
Application
Tracking
Threat
Engine
Application
Control
Reputation
Emulator
HIPS/
Runtime
Protection
Device
Control
Malicious
Traffic
Detection
Web
Protection
IoC
Collector
Live
Protection
Security
Heartbeat™
Web
Filtering
Intrusion
Prevention
System
Routing
Email
Security
Security
Heartbeat™
Selective
Sandbox
Application
Control
Data Loss
Prevention
ATP
Detection
Proxy
Threat
Engine
Lockdown local network access
Remove file encryption keys
Terminate/remove malware
Identify & clean other infected
systems
User | System | File
Compromise
Firewall
24. 24
SOPHOS SYSTEM
PROTECTOR
Sophos Cloud
Automated Protection of Endpoints
heartbeat
SOPHOS FIREWALL
OPERATING SYSTEM
Application
Tracking
Threat
Engine
Application
Control
Reputation
Emulator
HIPS/
Runtime
Protection
Device
Control
Malicious
Traffic
Detection
Web
Protection
IoC
Collector
Live
Protection
Security
Heartbeat™
Web
Filtering
Intrusion
Prevention
System
Routing
Email
Security
Security
Heartbeat™
Selective
Sandbox
Application
Control
Data Loss
Prevention
ATP
Detection
Proxy
Threat
Engine
Discover unmanaged Endpoints
Could it be managed?
Self-service portal setup
User authentication
Distribute security profile
Win | Mac | Mobile
Endpoint
Firewall
25. 25
SOPHOS SYSTEM
PROTECTOR
Sophos Cloud
Detect and Remediate Compromises
heartbeat
SOPHOS FIREWALL
OPERATING SYSTEM
Application
Tracking
Threat
Engine
Application
Control
Reputation
Emulator
HIPS/
Runtime
Protection
Device
Control
Malicious
Traffic
Detection
Web
Protection
IoC
Collector
Live
Protection
Security
Heartbeat™
Web
Filtering
Intrusion
Prevention
System
Routing
Email
Security
Security
Heartbeat™
Selective
Sandbox
Application
Control
Data Loss
Prevention
ATP
Detection
Proxy
Threat
Engine
Identify compromise
Detect source
Assess impact
Block/remove malware
Identify & clean other infected
systems
User | System | File
Compromise
Firewall
Each product FW, AV, Dev control, App Control, Mobile – has a unique way of looking at the network. You are looking at it from a sideview, not a top-down 3D view. This is just the nature of the beast. FW just looks at the network. If it’s designed to let port 80 through, I craft my malware to use port 80. We’re left with competent products, but only a 2D view (un-integrated).
Endpoint security used to be about stopping malware from infecting Windows PCs on the network.
Now it has to evolve to not only prevent malware, but also detect machines that are already compromised and help remediate detected threats on a variety of workstation and mobile platforms.
Endpoint security also has to include a focus on the data, ensuring it is encrypted and accessible only to authorized users regardless of where the data lives.
NGFW notes if EP is sending Heartbeat (if it is, it is definitely managed)
If not, NGFW characterizes EP by inspecting traffic (e.g. is it a Windows, MAC, printer, IP phone, mobile device etc)
NGFW queries Cloud EP management to ask two questions
1) Could it be managed (true for Windows, MAC, mobile; false for printer, IP phone etc) ?
2) Is it managed already (to cover the case we don't support Heartbeat on that platform yet) ?
If the device is one which could be managed but isn't, NGFW redirects device to a Self Service portal defined by Administrator to become managed
NGFW restricts network traffic from that device to that portal to protect customer network. Also an incentive for device owner to make device compliant.
Portal authenticates user (username / password)
Portal will present device dependent information e.g. will contain installers for Cloud EP (Windows, MAC), registration page for mobiles etc.
Portal can also contain security profile information for that customer e.g. certificates to be installed to access customers WiFi and network resources
Alternative slide option to slide 28 in case you prefer this version.